I can relate to your frustration and I don't care about vendors much myself, but I do care about end users. If you feel they are best served by releasing the 0-say to show how bad the security is, do include the communication in full to show how bad @vanilla handled it.
-
-
Well yes, the hype cycle is important, I reluctantly admit that having a name/logo/theme song for your vulnerability can help drive patch adoption. On the other hand, eternal blue hit hard despite the disclosure and patches being available.
-
Yes, it's certainly not black and white. Just wanted to caution against venting frustration through 0-day if that would otherwise not help. But if a vendor is truly failing to secure their users, that should be made *very* public indeed. (
@PwnieAwards FTW!) -
Let’s see, no CVE’s ever assigned, misguided commit messages to actual reasons for code change... disclosure after like 6 months...
@vanilla is doing the pay4silence thing on@Hacker0x01. -
I can only second
@berendjanwever here.
Users are not guilty of anything here, vendor is. -
So when vendor has a bug bounty that restricts disclosure and doesn’t provide auto update features or reference security fixes in the change log it is supposedly helping keep users safe by communicating with the vendor so they can maintain status quo where users aren’t updating?
-
Little empathy guys, dropping stuff should be last resort option not the first thought when vendor is not responding for a week or not assigning cve.
-
Or perhaps you’re not dealing with disclosure at scale, there is a limit to how much time an individual can invest in chasing disclosure with reluctant vendors
-
I think you can get them deleted from the bug bounty platform if you provide enough proof of how bad the situation is.
- 1 more reply
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.